…In a report
posted today, BAE Systems warns of the difficulty
in making positive attribution to cyber attacks. Nevertheless, it gives enough clues for any
reader to point the finger ultimately at North Korea. For example, BAE Systems first suggests a very
strong likelihood that the same group is behind both the Bangladeshi and
Vietnam breaches using malware based on msoutc.exe. This it then links to 'a larger toolkit
described in US-CERT Alert TA14-353A.'

Germany's domestic secret service said Friday it had evidence that Russia
was behind a series of cyber attacks, including one that targeted the German
parliament last year.

The operations cited by the BfV intelligence agency ranged
from an aggressive attack called Sofacy or APT 28 that hit NATO members and
knocked French TV station TV5Monde off air, to a hacking campaign called
Sandstorm that brought down part of Ukraine's power grid last year.

This could get strange.I don’t have to give them my password or tell them which of the hundreds
of social media tools I use.How will
they determine which are mine and which belong to students who create a post in
my name?

The government has released a first-ever social media
policy for background investigations, which will scan what applicants have
posted on Facebook, Twitter and other sites to determine their trustworthiness.
Read
the full story on the Washington Post, and see the policy
document.

Why would they need to do this?Does it make them feel more James
Bond-like?

Philly Police Admit They Disguised a Spy Truck as a Google
Streetview Car

The Philadelphia Police Department admitted today that a
mysterious unmarked license plate surveillance truck disguised as a Google Maps
vehicle, which Motherboard first
reported on this morning, is its own.

In an emailed statement, a department spokesperson
confirmed:

“We have been informed that this unmarked vehicle belongs
to the police department; however, the placing of any particular decal on the
vehicle was not approved through any chain of command. With that being said, once this was brought to
our attention, it was ordered that the decals be removed immediately.”

…“For one, I
would think it's highly illegal to have Google's markings on there, but that's
another issue entirely,” Worf said. “But
it boils down to the fact that most people at first glance wouldn't recognize
an ALPR system if they saw it, and for those that do, they likely wouldn't know
what Google would be doing with one.

“Frankly, what I don't get is why they felt a need to hide
something like this. It certainly makes one question the motive for doing
so," he added.

“It’s certainly concerning if the city of Philadelphia is
running mass surveillance and going out of its way to mislead people,” said
Dave Maass, a former journalist and researcher at the nonprofit advocacy group
Electronic Frontier Foundation.

[Note – not affiliations whatsoever – just interesting
announcement] – “ROSS Intelligence is proud to announce that AmLaw100 law
firm BakerHostetler has agreed to retain use of ROSS Intelligence’s artificial
intelligence legal research product, ROSS Intelligence Co-Founder Andrew Arruda
officially announced the partnership at Vanderbilt Law School’s “Watson, Esq.”
conference in Nashville, Tennessee in April. BakerHostetler will license ROSS for use in its Bankruptcy, Restructuring and
Creditors’ Rights team.The
ROSS platform is built upon Watson, IBM’s
cognitive computer. With the support of
Watson’s cognitive computing and natural language processing capabilities,
lawyers ask ROSS their research question in natural language, as they would a
person, then ROSS reads through the law, gathers evidence, draws inferences and
returns highly relevant, evidence-based candidate answers. ROSS also monitors the law around the clock to
notify users of new court decisions that can affect a case. The program continually learns from the
lawyers who use it to bring back better results each time…”

Obama will need to send in the Army.Imagine all the government agencies that
could be replaced by contractors doing their job better and cheaper!Government would become a Libertarian
dream.

Phoenix’s busiest airport could cut ties with the TSA in
the wake of a baggage-screening system breakdown that caused travelers a
massive luggage delay, city officials said Friday.

Deborah Ostreicher, the city’s assistant aviation
director, said Thursday’s chaos at Phoenix Sky Harbor International Airport was
the latest in a growing list of frustrations with the Transportation Security
Administration.

She also cited long wait times and a lack of a TSA
PreCheck process.

…Calling the
current level of service “unacceptable,” Ostreicher said officials are
reviewing several options to improve things for travelers.

“One of those options is to utilize a contractor to
provide security as some other airports have done,” Ostreicher said in a
statement.

Phoenix is not alone. The world’s busiest airport in Atlanta and the
New York/New Jersey region’s airports are also scrutinizing their relationship
with TSA.

This is actually for my Architecture class. If they can’t build it secure, no one will
trust it.

…If you’d like to
learn more about AWS IoT Button, Amazon has a handy step-by-step tutorial that walks you through setting
up the device and integrating it into your workflow. But first of all, you’ll have to get your
hands on one, which at this time is unfortunately a bit hard to do. Amazon has already sold out of the $20 device after less than a day on
the market.

Amazon likely didn’t realize what a hot commodity it had
on its hands and is going to need to crank up the production numbers pronto to
appease tech fiends that are quickly embracing the IoT movement.

Just in time for our 3D Printing class.(Includes “Build Your Own Printer” links)

…“Frustrated with how
colleges have handled their claims of sexual abuse, more students are turning
to social media to publicize their cases,” Inside Higher
Ed reports.

…Famed tech
startup accelerator program Y Combinator is launching HARC,
the Human Advancement Research
Community. The mission is to copy
the old Xerox PARC model and to “ensure human wisdom exceeds
human power, by inventing and freely sharing ideas and technology that allow
all humans to see further and understand more deeply.”

…“Dropbox’s new
education tier has most of its business features for a third of the price,” says
The Next Web.

Friday, May 13, 2016

Bangladesh Bank heist similar to Sony hack; second bank hit
by malware

Investigators probing the cyber heist of $81 million from
the Bangladesh central bank connected it on Friday to the hack at Sony Corp's
film studio in 2014, while global financial network SWIFT disclosed a
previously unreported attack on a commercial bank.

SWIFT did not say which
commercial bank it was or whether it had lost money, but cyber-security firm
BAE Systems said a Vietnamese bank, which it did not name, had been a target. It was not clear if they were referring to the
same attack and there was no immediate comment from authorities in Hanoi.

…In
Bangladesh, cyber-security experts hired by the central bank said in a report
that hackers were still inside the bank's network, monitoring the investigation
into one of the biggest cyber heists in the world.

…The report said
investigators knew little about a third group of hackers found inside the
network, referred to as Group Two, except that they were using mostly
commodity, or off-the-shelf, hacking tools. [So any teenager with an adequate allowance could hack this bank.Bob]

(Related) “It is better to look good than to feel good.”Hernando (and politicians everywhere)

A series of cybersecurity incidents at the federal office
safeguarding bank deposits has seriously shaken the confidence of House members
who were dismayed by agency testimony Thursday.

Lawrence Gross, the Federal Deposit Insurance Corp.’s
chief information and chief privacy officer, was called before the panel to
explain the removal of sensitive electronic data by employees. Members also accused the agency of obstructing
a congressional investigation into the cyber-issues.

Since October, a series of violations by seven employees
as they were leaving the agency, including five
cases The Post reported earlier this week, resulted in the breach of
personal information belonging to more than 160,000 individuals, according to
Loudermilk.

“To date, FDIC has failed to notify any of those
individuals that their private information may have been compromised,” he
added.

“This is a guideline. Only a fool would submit 99 identical subpoenas
and expect a judge not to notice.”

A federal judge in Brooklyn ruled on Thursday that
prosecutors could not force Facebook to remain silent about 15 grand-jury
subpoenas involving the company’s customers.

The judge, James Orenstein, said that the prosecutors had
legitimate concerns that their investigations might be compromised, but he
added that the government’s boilerplate requests, made in identical language in
each of the 15 applications for a gag order, were insufficiently detailed.

…The House
Oversight Committee has called
officials to testify from the Office of Personnel Management (OPM) and
the Office of the Director of National Intelligence. Congress is pressing
agencies to start using social media and other public information online in
background checks. OPM has recently been soliciting vendors for a pilot project
to use software that automatically scrapes the web for information helpful in a
background check. You can read
our preview of the hearing here.

An interesting exercise. Perhaps we could automate this process to
compare all countries as the laws change?Would be fun to try with IBM’s Watson and a few other free tools!

Regan, Priscilla M. and Bennett, Colin and Bayley, Robin,
If These Canadians Lived in the United States, How Would They Protect Their
Privacy? The Functional Equivalence of
Privacy Redress Mechanisms in Canada and the US (May 10, 2016). 2016 Privacy
Law Scholars Conference, George Washington University, June 2-3, 2016.
Available at SSRN: http://ssrn.com/abstract=2778070

“Recent commentary has contended that, despite the fact
that the U.S. Does not have a comprehensive data protection statute nor a data
protection authority, the entire regime for the protection of privacy is
essentially and functionally equivalent to those in other advanced democratic
states. We subject that hypothesis to
empirical examination by investigating seven actual complaints and
investigations conducted under the Canadian Personal Information Protection and
Electronic Documents Act (PIPEDA). These
are real cases brought by real individuals. In each case, we ask the question,
if these same fact situations occurred in the U.S. How would these individuals try to advance
their privacy rights and seek redress? We examine cases from different sectors:
credit reporting, insurance, online advertising, online dating, banking, hotels
and cellular communications. The cases
are not representative. Nevertheless,
our results highlight the advantages of a single point of contact, a
comprehensive legal framework, and of a system that relies less on litigation.”

As a concerned citizen, I might start an independent LLC
to gather funds earmarked for all potential political hot buttons.I would take a modest 98% administration
fee.

“Dark
Money Watch, a project of MapLight,
is a hub for information about dark money in U.S. elections. Our goal is to support investigations of dark
money in order to help the public understand how hidden donors can influence
our political system….Dark money comes
from groups that are not required to disclose their donors. It pays for ads and other efforts to influence
elections, but voters often don’t know who is behind those efforts.”

Google announced a new SyntaxNet open-source neural network framework
that developers can use to build applications that understand human language. As part of that release, Google also
introduced Parsey McParseface, a new English language parser that was trained
using SyntaxNet.

The launch is a move to democratize the tools for building
applications powered by machine learning.

Roughly half of all Web traffic comes from bots and
crawlers, and that's costing companies a boatload of money.

That's one finding from a report released Thursday by DeviceAtlas, which makes software to
help companies detect the devices being used by visitors to their websites.

Non-human sources accounted for 48 percent of traffic to
the sites analyzed for DeviceAtlas's Q1 Mobile Web Intelligence Report,
including legitimate search-engine crawlers as well as automated scrapers and
bots generated by hackers, click fraudsters and spammers, the company said.

…"We used to think of bots as passive ambient
noise," Cremin said. "That's now changed to the point where they
actually interact with the sites they visit and mimic human traffic
exactly."

Investigators examining the theft
of $104 million from Bangladesh’s central bank have uncovered evidence of three
hacking groups — including two nation states — inside the bank’s network but
say it was the third, unidentified group that pulled off the heist, according
to two people briefed on the progress of the bank’s internal investigation.

FireEye Inc., the company hired by
the bank to conduct the forensics investigation, identified digital
fingerprints of hacking groups from Pakistan
and North Korea, the two people said. It hasn’t found enough data to determine
whether the third group, the actual culprit, was a criminal network or the
agent of another nation.

Mozilla wants U.S. to disclose to it first any vulnerability
found in Tor

Mozilla has asked a court that it should be provided
information on a vulnerability in the Tor browser ahead of it being provided to
a defendant in a lawsuit, as the browser is based in part on Firefox browser
code.

“At this point, no one (including
us) outside the government knows what vulnerability was exploited and whether
it resides in any of our code base,” wrote Denelle Dixon-Thayer, chief legal
and business officer at Mozilla, in a blog post Wednesday.

Mozilla is asking the U.S. District Court for the Western
District of Washington, in the interest of Firefox users, to ensure that the government disclose the vulnerability to it
before it is revealed to any other party. The rationale behind the request, according to
Mozilla: Any disclosure without advance notice to Mozilla will increase the
likelihood that the exploit will become public before Mozilla can fix any
associated vulnerability in Firefox.

…The government
has so far refused to tell Mozilla whether the vulnerability at issue in the
case involves a Mozilla product. But
Mozilla said in the filing that it has reason to believe that the exploit used
by the government “is an active vulnerability in its Firefox code base that
could be used to compromise users and systems running the browser.”

The government has also refused to tell Mozilla if the
exploit went through the Vulnerabilities Equities Process (“VEP”), which is a
government process for deciding whether to share or not information on security
vulnerabilities, according to Mozilla.

If Mozilla is not allowed to intervene in the case to
protect its interests, the court should certainly allow Mozilla to appear as a
friend of the court or amicus curiae, according to the filing.

(1) “personally identifiable
information” (“PII”) includes
the GPS coordinates of a device; and

(2) a user of a mobile
application – even one who does not pay or
otherwise register to use the app – qualifies as a “consumer”
entitled to the protections of the Act.

Although the information Gannett
transferred to a third party also included unique device identifiers (i.e.,
an Android ID), the court noted that its holding “need not be quite as broad as
[its] reasoning suggests,” leaving unanswered the question of whether device
identifiers alone would constitute PII.

With this condition set out in
the holding, the decision may not be as far out of step with a slew of prior
federal district court decisions holding that a consumer’s personal data, when
disclosed, must identify a particular individual, without more,
to qualify as PII. The court found that GPS coordinates are more like a traditional street
address than numeric device IDs such that their disclosure
“effectively reveal[ed] the name of the video viewer.”

State workers are raising deep
concern after learning a prominent anti-union group is seeking their personal
information, including their birth dates, worrying it could lead to widespread privacy
violations and identity theft.

Complaints began pouring into
various unions representing state workers over the last month after the
Olympia-based Freedom Foundation filed public records requests for information
about thousands of workers.

Facebook announced today that the source code of its capture the flag
(CTF) platform has been made available on GitHub.

The social media giant says its goal is to help those who
want to learn about hacking and allow them to put their skills to the test. The company wants to make security education
more accessible to schools, students and non-profit organizations. The platform has been released under a
Creative Commons license for use by non-commercial entities for educational
purposes.

Facebook’s CTF platform includes everything one needs to
run a hacking competition, including a game map, team registration and a
scoring system. Some challenges can also
be provided upon request, including for reverse engineering, web application
security, forensics, binary exploitation, and cryptography. Users can also utilize the Facebook CTF
platform to build custom challenges.

For my Architecture students. I learned this, many moons ago, as “disintermediation.”

One of the oldest business models in the world is using
new technology to trample traditional businesses, drive innovation, and create
new and immense sources of value. Matchmakers, the subject of our new book, make it easy for two or more
groups of customers, like drivers and riders in the case of Uber, to get
together and do business. They operate
platforms that make it easy and efficient for participants to connect and
exchange value.

LitCharts
is a relatively new service that provides teachers and students with guides and
summaries of classic and popular literature. The service currently offers more than 300
titles.

LitCharts
guides can be viewed online or you can download the guides as PDFs. To download a PDF you do have to enter your
email address. The online version of the
guides available on LitCharts feature background information on a book's
author, a color-coded list of themes in the book, a plot summary, a character
list and summary, and an interactive chart board of themes in the book.

The interactive chart boards on LitCharts offer a way to
explore the entire guide from one place. The chart board is a wheel of chapters of a
book. The wheel is color-coded with
themes from the book. When you click on
a chapter and color in the chart board you will be shown a short summary of
that section of the book followed by a link to read more. Color-coding makes it fairly easy to follow a
theme through the book.

This past Thursday, the FBI proposed that its biometric database be exempt
from several provisions of the Privacy Act, US legislation that mandates that
any federal agency must inform individuals about the records they collect and
keep about them.

The FBI’s Next Generation
Identification System (NGIS) is a database of biometrics information such as
fingerprints, eye scans, facial scans, and even DNA samples.

The database is often used to
identify crime suspects, and while in past times the database was rarely used,
with the emergence of modern biometrics authentication systems, the database’s
importance has grown tenfold because it also allows the FBI access to locked
devices.

Back in 2015, after a long battle in court, the Electronic
Frontier Foundation discovered that the database already contained details for
over 52 million people. The US has a
population of around 320 million.

In March 2016, The San Diego Union-Tribune discovered that the FBI was
actively going after biometrics data contained in private databases managed by
services such as Ancestry.com and 23andme.

Drones.When you
hear that word, think of the Hitchcock movie “The Birds.”

CRS Reports & Analysis Legal Sidebar – Delivery
Drones: Coming to the Sky Near You? – 05/06/2016: “Can you prevent a drone
from flying over your house to deliver a package to your neighbor? Until now, that question has been of purely
theoretical interest.However, the
Senate recently passed a bill that could significantly change the operational
landscape for unmanned aircraft systems (UAS or drones) and make these kinds of
hypothetical delivery drones a reality..”

The Vermont legislature has
passed a sweeping bill that would establish robust privacy protections in the
state. If ultimately signed into
law, it would not only limit warrantless surveillance and help ensure
electronic privacy in Vermont, but would also hinder several federal
surveillance programs that rely on cooperation and data from state and local
law enforcement.

As passed, the legislation would
ban the warrantless use of stingray devices to track the location of phones and
sweep up electronic communications, restrict the use of drones for surveillance
by police, and generally prohibit law enforcement officers from obtaining
electronic data from service providers without a warrant or a judicially issued
subpoena.

Allegations of political bias at Facebook exploded into
national view on Tuesday as a Senate chairman pressed the company on whether
conservative content is suppressed on the site.

Senate Commerce Committee Chairman John Thune(R-S.D.) sent a letter asking Facebook CEO Mark
Zuckerberg to address the “serious allegations” that conservative content has
been excluded from the site’s “Trending Topics” section.

…Facebook
vehemently denies the charge, with an executive stating flatly on Tuesday that
the company has “found no evidence that the anonymous allegations are true.”

“Facebook does not allow or advise our reviewers to
systematically discriminate against sources of any ideological origin and we’ve
designed our tools to make that technically not feasible,” said Tom Stocky,
vice president for search at the social network, in a post. “At the same time, our reviewers’ actions are
logged and reviewed, and violating our guidelines is a fireable offense.”

(Related) This may be why the Republicans believe the
rumors. Still, this amount is trivial
compared to a bias in favor of Hillary.

If Donald Trump
is elected president, a new dating app known as Maple Match promises to help
Americans fall in love with their neighbors to the north and move to
Canada.

“Make dating great again,” reads the slogan from Maple Match, which promises to “make it
easy for Americans to find the ideal Canadian partner to save them from the unfathomable horror of a Trump presidency.”

The matchmaking service has yet to launch, but nearly
5,000 people have already signed up, according
to The Guardian.

Access to a new tool. As I read it, you have to have the mobile app
on your phone first.

Though it’s the biggest messaging application in the world
with more than 1 billion active users, WhatsApp has for years lived primarily
on mobile phones. That could change
significantly from Wednesday, when WhatsApp launched its first desktop apps for
Windows 8 and Mac OS 10.9 and up.

The apps
sync with a WhatsApp user’s account on their mobile device, once
they’ve downloaded them and scanned a QR code from inside Settings >
WhatsApp Web on the mobile app.

Facebook has launched its facial-recognition photos app in
Europe and Canada – without facial recognition.

The company first launched its “Moments” app in the US
last year. It is meant as an easy way of
sharing photos, using recognition technology to pick out photos that include
the same people and grouping them together.

But since people were automatically opted into that
feature, and so had their faces and identities analysed by people who were
using the app, privacy watchdogs in the EU and Canada stopped it coming from
the UK.

According to an online
post, people can now use Sign
in with Slack to log into Quip, a document
creation application. Users can then
give their existing Slack team members access to Quip documents and lists. And it’s easy to convert Slack chats to Quip
documents, if needed.

Five other companies Figma, Kifi, OfficeVibe, Slackline,
and Smooz have also integrated their apps with Slack, the company said.

…That means fewer
passwords to remember, which most will agree is a good thing.

Amusing, but I probably won’t be sharing this one with my Computer
Security students.

This Popular Porn Site Debuted a Bug Bounty Program on the
Same Platform as the Pentagon

Maximum bounty for hackers: $25,000.

Pornhub, one of the world’s most popular pornography
sites, unveiled a bug bounty program on Tuesday.

The company, owned by Canadian private firm MindGeek, will
pay white hat hackers for finding computer bugs on its site and reporting those
vulnerabilities to its owners. The site
is running the program through the startup HackerOne, a bug bounty software
startup that spun
out of Facebookand that operates similar
programs for companies such as General Motors,
Uber, Twitter, Yahoo, Dropbox—and even the United States
Department of Defense.

At a conference a year ago, David
Siegel, co-­chairman of quantitative hedge fund firm Two
Sigma and an artificial-intelligence expert, predicted that computer-driven
managers will one day rule the markets. "The challenge facing the investment
world is that the human mind has not become any better than it was 100 years
ago, and it's very hard for someone using traditional methods to juggle all the
information of the global economy in their head," he said. "Eventually, the time will come that no
human investment manager will be able to beat the computer."

Apparently, Siegel's future has already become a reality. This year about half of the 25 highest-earning
hedge fund managers topping Alpha's 15th annual Rich List used computer-­generated
investing strategies to produce all or some of their investment gains. They include Siegel and John
Overdeck, his Two Sigma co-chairman and co-founder, who qualify for the
Rich List for the first time. They tie
for seventh place after earning $500 million each last year.

In fact, six of the top eight on this year's ranking are
considered to be full-fledged quants: managers who rely heavily on
sophisticated computer programs as part of their process. This is a far cry from 2002, when just two
computer-driven managers qualified for the initial ranking, including Renaissance
Technologies founder James
Simons, the only person to appear all 15 years.

This year Simons shares the top spot with Citadel'sKenneth
Griffin, who has invested huge sums over the years in what he touts as a
state-of-the-art computer system. They
each earned $1.7 billion in 2015 after posting roughly midteens gains in their
main hedge funds.

He explained that the computers and biometric verification
devices containing data gathered on the last day of the registration exercise
on Sunday were all missing. [Did they
wait until all the data had been gathered?Bob]

For my Ethical Hacking students.Try not to cross the line and if you do be
sure to have a scapegoat handy.

David Levin, owner of Vanguard Cybersecurity, discovered
in December that the elections website of Lee County was plagued by an SQL
injection vulnerability that allowed access to credentials stored in plain
text. The expert later also identified
security holes on the Florida Division of Elections website.

Levin contacted a supervisor of elections candidate and in
January they made a video demonstrating the existence of the SQL injection flaw
on the Lee County elections website and showed how exposed credentials could be
used to access accounts and information. The security hole was only then reported to
the Supervisor of Elections Office.

According to local reports, the white hat hacker was arrested last week
and charged with three counts of unauthorized access to a computer or a
computer system. He was released on a
$15,000 bond after a few hours.

… “Dave obviously
found a serious risk but rather than just stopping there and reporting it, he
pointed a tool at it that sucked out a volume of data. That data included credentials stored in plain
text (another massive oversight on their behalf) which he then used to log onto
the website and browse around private resources (or at least resources which
were meant to be private),” said Troy Hunt, a security expert who has often
been involved in the disclosure of serious vulnerabilities.

Hunt pointed out that in the case of SQL injection vulnerabilities
such as the one found by Levin, it’s easy to demonstrate that a risk exists
without actually accessing any potentially sensitive data.

Important news out of the UK this morning, where the
government (National Crime Agency) tried to get a court to compel Lauri
Love to provide decryption key to devices they had seized from him. Love had refused, arguing (understandably),
that he had never been charged with any crime, and that they were attempting to
do an end-run around protections under RIPA by a back-door route (“case
management”) to forcing compliance.

This morning, the court denied the government’s motion. The Free Lauri campaign explains:

This morning at Westminster
Magistrates’ Court, District Judge Nina Tempia rejected a
National Crime Agency (NCA) request to use the court’s case management powers
to order Lauri Love to hand over his encryption keys, preventing a dangerous
precedent that would have given UK police new powers to compel people to
decrypt their electronic devices, even if they are not suspected of a crime.

Remarking on the NCA’s
application, the judge said that authorities must instead use the existing
legal regime created by the Regulation of Investigatory Powers Act (RIPA) if
they wish to compel someone to surrender encryption keys, and that the court’s
case management powers cannot be used by authorities to circumvent statutory
safeguards in RIPA.

The information on the encrypted devices may, or may not,
contain evidence relating to charges Love faces in the U.S., and the US has
previously applied to the UK to extradite Love. Love has been fighting the extradition,
claiming that if there are any charges, they should be filed and tried in the
UK. But the UK did not find
evidence/grounds to prosecute Love there.

So if Love’s going to prosecuted for hacking – and he’s
been indicted in three federal districts here by now – it’s going to be in the
US, and today’s ruling in the UK means that the US won’t be getting any
additional evidence from his devices in the foreseeable future. Of course, they will argue that they already
have enough evidence and just need the UK to extradite Love, but today’s ruling
is likely a disappointment to prosecutors here.

“GAO found that the majority of the reviewed websites for
smartphone tracking applications (apps) marketed their products to parents or
employers to track the location of their children or employees, respectively,
or to monitor them in other ways, such as intercepting their smartphone
communications. Several tracking apps
were marketed to individuals for the purpose of tracking or intercepting the
communications of an intimate partner to determine if that partner was
cheating. About one-third of the
websites marketed their tracking apps as surreptitious, specifically to track
the location and intercept the smartphone communications of children,
employees, or intimate partners without their knowledge or consent. The key concerns of the stakeholders with whom
GAO spoke—including domestic violence groups, privacy groups, and
academics—were questions about:

(1) the applicability of current
federal laws to the manufacture, sale, and use of surreptitious tracking apps;

(2) the limited enforcement of
current laws; and

(3) the need for additional
education about tracking apps.

GAO found that some federal laws apply or potentially
apply to smartphone tracking apps, particularly those that surreptitiously
intercept communications such as e-mails or texts, but may not apply to some
instances involving surreptitiously tracking location. Statutes that may be applicable to
surreptitious tracking apps, depending on the circumstances of their sale or
use, are statutes related to wiretapping, unfair or deceptive trade practices,
computer fraud, and stalking. Stakeholders
also expressed concerns over what they perceived to be limited enforcement of
laws related to tracking apps and stalking. Some of these stakeholders believed it was
important to prosecute companies that manufacture surreptitious tracking apps
and market them for the purpose of spying. Domestic violence groups stated that
additional education of law enforcement officials and consumers about how to
protect against, detect, and remove tracking apps is needed.The federal government has undertaken
educational, enforcement, and legislative efforts to protect individuals from
the use of surreptitious tracking apps, but stakeholders differed over whether
current federal laws need to be strengthened to combat stalking. Educational efforts by the Department of
Justice (DOJ) have included funding for the Stalking Resource Center, which
trains law enforcement officers, victim service professionals, policymakers,
and researchers on the use of technology in stalking. With regard to enforcement, DOJ has prosecuted
a manufacturer and an individual under the federal wiretap statute for the
manufacture or use of a surreptitious tracking app. Some stakeholders believed the federal wiretap
statute should be amended to explicitly include the interception of location
data and DOJ has proposed amending the statute to allow for the forfeiture of
proceeds from the sale of smartphone tracking apps and to make the sale of such
apps a predicate offense for money laundering. Stakeholders differed in their opinions on the
applicability and strengths of the relevant federal laws and the need for
legislative action. Some industry
stakeholders were concerned that legislative actions could be overly broad and
harm legitimate uses of tracking apps. However,
stakeholders generally agreed that location data can be highly personal
information and are deserving of privacy protections.”

According to the most recent Verizon data breach report, a phishing email is often the first
phase of an attack. That's because it
works well, with 30 percent of phishing
messages opened, but only 3 percent reported to management.

Something for my Computer Security students to
ponder.What should you tell Watson and
what should you keep from ‘him?’ (Note
that you make copies of a non-specific Watson and then teach whatever he needs
to know.)

…Ginni Rometty,
CEO of IBM ibm,
will introduce a cybersecurity-specific
version of Watson at an IBM computer security summit on Tuesday, the
company said. The project, powered by
IBM’s Bluemix cloud computing platform, includes a partnership between IBM and
eight universities that begins in the fall.

…IBM researchers
have already begun feeding Watson with all sorts of computer security data
sourced from its open access threat intelligence platform, called X-Force
Exchange.

…Watson is also
designed to ingest research papers, blog posts, news stories, media reports,
alerts, textbooks, social media posts, and more to build up knowledge about all
the latest cyber threats. Students at the partnering schools will help input and
annotate this so-called unstructured data (meaning data that’s not
easily machine readable) to train the system.

Would there be a market for a truly secure
smartphone?Perhaps my students could
write the OS as a final exam?

The government wants to know why it takes so long for your
smartphone to get security updates

We trust our smartphones with an astounding amount of
information, but all too often those devices may not be protected with the
latest security fixes. That's the problem at the heart of a new
government project announced
today in which the Federal Communications Commission and the Federal
Trade Commission are teaming up to examine the sometimes messy way security
patches are delivered to consumers' smartphones.

Computers Gone Wild: Impact and Implications of
Developments in Artificial Intelligence on Society May 9, 2016 The
following summary was written by Samantha Bates:

“The second “Computers Gone Wild: Impact and Implications
of Developments in Artificial Intelligence on Society” workshop took place on
February 19, 2016 at Harvard Law School. Marin Soljačić, Max Tegmark,
Bruce Schneier, and Jonathan Zittrain convened this informal workshop to
discuss recent advancements in artificial intelligence research. Participants represented a wide range of
expertise and perspectives and discussed four main topics during the day-long
event:

the impact of artificial
intelligence on labor and economics,

algorithmic decision-making,
particularly in law,

autonomous weapons, and

the risks of emergent human-level
artificial intelligence.

Each session opened with a brief overview of the existing
literature related to the topic from a designated participant, followed by
remarks from two or three provocateurs. The session leader then moderated a discussion
with the larger group. At the conclusion
of each session, participants agreed upon a list of research questions that
require further investigation by the community. A summary of each discussion as well as the
group’s recommendations for additional areas of study are included here…”

Made for attack ads.Of greater concern, have they lost anything else?(If we’re lucky, they only “loose” emails
that might embarrass the administration – or the next one.)

The State Department can find no emails to or from a
former Hillary Clinton aide who worked for the agency and also managed
Clinton’s private computer server while she served as secretary of state, the
government said in a new court filing on Monday.

The government said as much in U.S. District Court in
Washington in answer to a lawsuit by the Republican National Committee. The committee had sued over its public records
request for all work-related emails sent to or received by Clinton’s former
aide, Bryan Pagliano, between 2009 and 2013, the years of Clinton’s tenure.

…agency officials
continue to search for “Mr. Pagliano’s emails, which the department may have
otherwise retained.”

Google has proven in the past that its scale means that
something like a small shift in shade can have big consequences. In the early days, Google tested 40 different
shades of blue for its links and the winning hue helped it reel in an
extra $200 million a year in ad revenue.

Some users are saying that the change makes it harder to
differentiate between which links they've clicked and which they haven't.

Perspective.Soon,
my only option will be to buy a smartphone that talks to me.“What took you so long, Bob?”

Sales of PCs, laptops, and tablets fell 13% in Q1; reaching
lowest point since 2011

…According to
the latest report from market research firm Canalys, shipments of PC
devices (including desktops, notebooks, two-in-ones, and tablets) amounted to
101 million units in the first quarter of 2016. That represents a decline of 13 percent from
the same period a year ago — the lowest volume since the second quarter of
2011.

“This database contains information on almost 320,000
offshore entities that are part of the Panama Papers and the Offshore Leaks
investigations. The data covers nearly
40 years – from 1977 through 2015 – and links to people and companies in more
than 200 countries and territories. The
real value of the database is that it strips away the secrecy that cloaks
companies and trusts incorporated in tax havens and exposes the people behind
them. This includes, when available, the
names of the real owners of those opaque structures. In all, the interactive application reveals
more than 360,000 names of people and companies behind secret offshore
structures. They come from leaked
records and not a standardized corporate registry, so there may be duplicates. In some cases, companies are listed as
shareholders for another company or a trust, arrangement that often helps
obscure the flesh-and-blood people behind offshore entities. ICIJ obtained the data through two massive
leaks. The majority of the names in this
database come from Panamanian law firm Mossack Fonseca, whose inner workings were exposed in the Panama Papers
investigation published in April 2016 in conjunction with Süddetsche Zeitung
and more than 100 other media partners. Around a third of the offshore entities were
incorporated through Portcullis
Trustnet (now Portcullis) and Commonwealth
Trust Limited, two offshore service providers exposed as part of ICIJ’s
2013 Offshore Leaks exposé.
This was the first information added to
this database when it was released in June 2013, which was then produced in
conjunction with Costa Rican newspaper La Nación. The database does not disclose the totality of
the leaked records. It doesn’t divulge
raw documents or personal information en masse. It contains a great deal of information about
company owners, proxies and intermediaries in secrecy jurisdictions, but it
doesn’t disclose bank accounts, email exchanges and financial transactions
contained in the documents. ICIJ is publishing the information in the public
interest. While many of the activities
carried out through offshore entities are perfectly legal, extensive reporting
by ICIJ and its media partners for more than four years has shown that the
anonymity granted by the offshore economy facilitates money laundering, tax
evasion, fraud and other crimes. Even
when it’s legal, transparency advocates argue that the use of an alternative, parallel economy
undermines democracy because it benefits a few at the expense of the majority. Read more about why ICIJ is making this
information public here. The questions
and answers below address the most frequent questions about this data. If you still have questions after reading
them, please get in touch with us.”

For those students who always have those plug thingies in
their ears. “What lecture?”

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.